Embed Size (px)
Citation preview
Page 1 of 25
A THOROUGH HIGH- RISK MEMBER
ASSESSMENT DIRECTS
RESOURCES TO AN EFFICIENT
ENHANCED DUE DILIGENCE
PROGRAM AT CORPORATE CREDIT
UNIONS And how audit can validate the high risk member
assignment.
ABSTRACT A thorough high risk member assessment can direct limited resources to an effective enhanced due diligence program for corporate credit unions (in a correspondent banking model) and how audit can validate the high risk member assignment.
Jennifer B. Morrison, CAMS
Page 2 of 25
Contents Executive Summary .............................................................................................. 3
Introduction: Corporate and Natural Person Credit Unions ................................... 3
Non-Federally Insured Credit Unions .................................................................... 5
Regulatory Background ........................................................................................ 5
The Correspondent Banking Model and Its Risks ................................................. 7
MIP and MDD Requirements for Corporate Credit Unions ................................... 9
Audit Approach: Corporate Credit Union High Risk Member Assessments ........ 16
High Risk Member Assessment Audit – Recommendations and Reporting ........ 18
High Risk Member Assessment Audit Resiliency................................................ 22
Conclusion .......................................................................................................... 23
Appendix A ......................................................................................................... 24
Page 3 of 25
Executive Summary The National Credit Union Administration (NCUA) is the independent federal agency created by the United States Congress to regulate, charter, and supervise federal credit unions. With the backing of the full faith and credit of the U.S. government, the NCUA operates and manages the National Credit Union Share Insurance Fund (NCUSIF), insuring the deposits of account holders in all federal credit unions and the majority of state-chartered credit unions. Corporate credit unions are the correspondent to their respondent natural person member credit unions, acting as a third party payment processor for their respondents in payment systems, including wire transfer, share draft (check) processing, Automated Clearing House (ACH) origination and receipt, and electronic-banking. In addition, corporate credit unions typically provide investment and liquidity products and services to their natural person credit union members. As the correspondent Financial Institution (FI), corporate credit unions can be downstream recipients of their respondents’ risks and compliance failures. Natural person credit unions are regulated FIs, mitigating their corporate credit unions’ Bank Secrecy Act/Anti-Money Laundering (BSA/AML) reputation, regulatory and compliance risks. Most corporate credit unions have limited detection and monitoring resources due to a lack of staff and the absence of monitoring systems built for wholesale banking. A corporate credit union must efficiently target its resources for enhanced due diligence toward higher risk activities and transactions that are more likely to occur. Further, natural person credit unions do not communicate their risk profile directly to their corporate credit union(s) and may have gaps in their BSA/AML program. A thorough high risk member assessment can mitigate these additional corporate credit union reputation, regulatory and compliance risks. The goal of the audit program is to ensure that the elements of a prudent high risk member assessment are in place to mitigate the aforementioned risks the natural person credit union transactions present to a corporate credit union’s overall BSA/AML compliance program.
Introduction: Corporate and Natural Person Credit Unions “A corporate credit union is a member-owned, member-controlled, not-for-profit cooperative financial institution formed to serve other credit unions (also referred to as natural person credit unions). Member ownership and control are what make credit unions and corporate credit unions unique.” (Federal Corporate Credit Union Chartering Manual, 2016) The corporate credit union was created to meet the credit union system’s need for an industry source for liquidity during a period of rapid growth experienced in the
Page 4 of 25
1970s. Credit union leadership at the time was determined to find a solution within the credit union movement, rather than relying on the banking industry to fill the void. Corporate credit unions were first chartered to serve specific Fields Of Membership (FOM), generally limited to a specific state or geographic region. In the mid-1990s, the NCUA permitted corporate federal credit unions to expand to national FOMs. Today, approximately 99 percent of all Natural Person Credit Unions (NPCUs) have accounts in at least one corporate credit union, and 75 percent of NPCUs rely on a corporate credit union as their primary settlement agent. (Federal Corporate Credit Union Chartering Manual, 2016) NPCUs can join more than one corporate credit union. While many do so, the NPCU is likely to choose just one corporate credit union for its payments processing. The other corporate credit union memberships are typically to diversify investment and liquidity service providers. The average NPCU has $206.6 million in total assets and 17,273 members. Credit unions range in size from Navy Federal Credit Union with its $75.1 billion in assets and 6.1 million members1 to three (3) NPCUs with assets under $60,0002. This work is limited to U.S.-based NPCUs, including U.S. territories. Very few NPCUs have non-U.S. branches or operate fixed locations outside the U.S. Ultimately, the legacy of the NPCU is the “common bond” or FOM and the limited risks it was designed to provide, as follows:
“By requiring credit unions to serve only groups with pre-existing associations or relationships, Congress effectively tapped the members of the credit union to monitor each other. The logic behind the common bond requirement was both simple and elegant: If the credit union's members associated with each other on a regular basis, they would be less likely to default on their obligations knowing that their friends, neighbors and co-workers would end up paying the price...The numbers and data from a credit history can be invaluable, but so too is personal knowledge, forged through a common bond, of how a potential borrower conducts himself.” (Brannon, 2012)
Unlike banks, NPCUs have a member business loan limit, which today stands at 12.25 percent of a NPCU’s assets. According to American Banker, over 70 percent of credit unions make no member business loans. (Brannon, 2012) The relevancy of this limit is to effectively focus most NPCU’s membership base on consumers. This means that corporate credit unions process millions of consumer payments daily. The Member Business Loan (MBL) rule is scheduled to change on January 1, 2017, however NCUA guidance has yet to be issued. (Merrick, 2016)
1 Based on NCUA 5300 call report data, 3/31/16. 2 Based on NCUA 5300 call report data, 6/30/16.
Page 5 of 25
In providing payment processing services for its member NPCUs, corporate credit unions typically pass payments as a third party payment processor and in batch. By processing payments in batch, the corporate credit union can provide least-cost routing and expedited processing, but it also eliminates payment monitoring in the manner in which many retail FIs perform the function. Further, corporate credit unions have no access to its members’ member records and a member’s Member Due Diligence (MDD). Wire transfers and international ACH payments are the only transactions processed in an unbatched form. The level of due diligence conducted on each by a corporate credit union is therefore similar to that of a retail FI, however the corporate credit union has no access to its members’ member records or a member’s MDD. Corporate credit unions traditionally approached transaction monitoring from the batched prospective. Staff needs were therefore limited. Corporate credit unions have relied on a mix of manual and home-grown systems for their own MDD compliance for some time. At a corporate credit union collaboration meeting several years ago, one corporate credit union was marketing its own home-grown system. Since that time, including a pending merger, the total number of corporate credit unions will have declined from 13 to 11. Due to consolidation among corporate credit unions and wholesale FIs generally including bankers banks, there is no commercially-available transaction monitoring system for wholesale FIs, and the probability of system development is near-zero. Modifications to existing retail-based systems for wholesale FIs are very expensive. (See also Appendix A)
Non-Federally Insured Credit Unions State-chartered credit unions may be privately insured. American Share Insurance (ASI), located in Dublin, Ohio, is a member-owned share insurance fund dually regulated by the Ohio Department of Insurance and by the states in which it operates. With ASI, the $250,000 in deposit or share insurance is per account, with no limit to the number of accounts per individual member that can be insured. Excess Share Insurance through ASI is also offered in some states. (American Share Insurance, 2016) As of August 25, 2016, 265 credit unions were privately insured out of 6,073 total NPCUs in the U.S. and its territories. (National Credit Union Administration, 2016) (Department of the Treasury, Financial Crimes Enforcement Network, 2016)
Regulatory Background On August 25, 2016, the Financial Crime Enforcement Network’s (FinCEN) Advanced Notice of Proposed Rulemaking (ANPR) was posted to the Federal Register3. The Proposed Rule (Rule) amends Customer Identification Programs, Anti-Money Laundering Programs, and Beneficial Ownership Requirements for banks lacking a Federal Functional Regulator (FFR). (Department of the Treasury,
3 Vol. 81, No 165, pp. 58425-58434.
Page 6 of 25
Financial Crimes Enforcement Network, 2016, p. 58425) The Rule highlights one of the unique risks corporate credit unions face in their role as a correspondent FI when serving their privately insured NPCU members. The unique risk is that a privately insured NPCU may be in regulatory compliance, yet lack a robust Anti-Money Laundering (AML) program. Section 352 of the USA PATRIOT Act requires FIs to establish AML programs that at a minimum include the Four Pillars4. Section 352 authorizes FinCEN to work with the appropriate FFR in prescribing minimum standards for an AML program. Most FIs became subject to an AML program requirement with FinCEN’s issuance of an Interim Final Rule on April 29, 2002. However, the Interim Final Rule deferred AML program requirements for certain FIs including “private bankers”. On November 6, 2002, FinCEN amended the Interim Final Rule, extending the deferral indefinitely and added any bank “that is not subject to regulation by a Federal Functional Regulator”. Perhaps inadvertently, FinCEN created this gap, exempting certain FIs from the AML program requirement. (Department of the Treasury, Financial Crimes Enforcement Network, 2016, p. 58427) Section 326 of the USA PATRIOT Act requires FinCEN to prescribe regulations that require FIs to establish programs for account opening, in other words a Customer Identification Program (CIP), or Member Identification Program (MIP) in credit union industry terms. When CIP requirements were finalized on May 9, 2003, non-federally insured credit unions were required to comply. On the same day, FinCEN published an ANPR that would have imposed CIP requirements on all other state-regulated banks without a FFR. The proposed rule was never finalized. (Department of the Treasury, Financial Crimes Enforcement Network, 2016, p. 58427) On May 11, 2016, FinCEN published the final “CDD Rule” that clarifies and strengthens Customer Due Diligence (CDD) requirements for certain FIs, including federally regulated banks. The CDD Rule also amends AML program requirements for these FIs. This Rule states, “For purposes of regulatory consistency, FinCEN believes that it is appropriate that these requirements should apply to non-federally regulated banks as well …” (Department of the Treasury, Financial Crimes Enforcement Network, 2016, p. 58427) As highlighted in the recent ACAMS Today article, “Understanding customer risk,” it is relevant to remember that the CDD Rule is more than customer and beneficial ownership identification and verification. FinCEN included two additional elements:
“Understanding the nature and purpose of customer relationships to develop a customer risk profile, and
4 Four Pillars: 1) Development of internal policies, procedures and controls; 2) Designation of a compliance officer; 3) An ongoing employee training program; and 4) An independent audit function to test.
Page 7 of 25
Ongoing monitoring for reporting suspicious transactions and, on a risk basis, maintaining and updating customer information.” (Gemayel, 2016, p. 64)
Privately insured NPCUs have been subject to BSA program requirements, including filing Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) and certain recordkeeping standards dating to the Currency and Financial Transactions Reporting Act of 1970, as well as prohibitions against maintaining correspondent accounts for foreign shell banks from the USA PATRIOT Act. (Department of the Treasury, Financial Crimes Enforcement Network, 2016, pp. 58425, 58427) While privately insured NPCUs may have this AML program “gap”, the presence of the state regulator following standards set by the FFIEC BSA/AML Examination manual reduces the probability of widespread program deficiencies. (FFIEC, 2016)
The Correspondent Banking Model and Its Risks “U.S. banks, through the correspondent accounts they provide to foreign banks, have become conduits for dirty money flowing into the American financial system and have, as a result, facilitated illicit enterprises, including drug trafficking and financial fraud.” (Minority Staff of the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs of the United States Senate, 2001)
The focus of the aforementioned 2001 report to the U.S. Senate was correspondent banking in the U.S.; however, it could be stated that the same risks applied to correspondent banking in any of a number of global financial markets. In the years following 9/11, banking regulators and global banking standards-setters issued a number of reports on the risks associated with correspondent banking. This led the global banking industry to coalesce around the risks in correspondent banking. (Atkinson, 2012, pp. 1-2) The Wolfsberg Group defines correspondent banking as,
“[T]he provision of a current or other liability account, and related services, to another financial institution, including affiliates, used for the execution of third party payments and trade finance, as well as its own cash clearing, liquidity management and short-term borrowing or investment needs in a particular currency. A Correspondent Bank is effectively acting as its Correspondent’s agent or conduit, executing and/or processing payments or other transactions for the Correspondent’s customers. These customers may be individuals, legal entities or even other financial institutions. A correspondent relationship is characterized by its on-going, repetitive nature and does not generally exist in the context of one-off transactions.” (The Wolfsberg Group, 2014, pp. 1-2)
Page 8 of 25
A corporate credit union is the correspondent, and holds deposits owned by its NPCU members (respondents). Through a membership agreement and service contracts, a corporate credit union provides payment, liquidity, investment and other services to its members (respondents) in an ongoing repetitive relationship. The European Central Bank (ECB) includes a reciprocal arrangement in its definition; however, in the corporate credit union structure, the arrangements are not reciprocal. According to the Bank for International Settlements (BIS) and its definition of a traditional correspondent banking relationship, the respondent bank’s customers do not have direct access to the correspondent account, but they transact business indirectly. The corporate credit union–NPCU structure contrasts with the higher risk “nested” correspondent banking structure whereby a bank’s correspondent relationship is used by several respondent banks. The traditional correspondent banking relationship also contrasts with the higher risk payable-through account or “pass-through” or “pass-by” account whereby the respondent bank allows its customers to access the correspondent account directly to conduct business on their own behalf. (Committee on Payments and Market Infrastructures, 2015, pp. 7-8) (Michaela Erbenova, 2016, p. 8) A respondent bank often seeks a correspondent bank to facilitate domestic and cross-border payments. While a corporate credit union can provide its member credit unions cross-border payments in the form of both international wire transfer and international ACH payments, because of the limitation on business lending, most NPCUs have a limited number of business entity members. Some NPCU charters actually prohibit business entity members. Most international payments therefore have a natural person component, in the form of Person-To-Person (P2P) or Business-To-Person (B2P) payments, rather than the often riskier Business-To-Business (B2B) payments. Credit unions do not typically engage in international trade finance or any type of international trade credit for similar non-business entity member reasons. In a referenced International Monetary Fund (IMF) report, significant compliance costs are cited as among the reasons for withdrawal of correspondent banking relationships across the globe, including the 2012 revised Financial Action Task Force (FATF) standard for Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) that places greater emphasis on risk assessment and the application of a risk-based approach to CDD. In addition, the enforcement landscape has also been changing. The IMF report cites actions by the U.S. and European Union (EU) authorities imposing penalties to deter misconduct, as well as the perception of regulatory expectations and uncertainty around CDD requirements as additional concerns for FIs in maintaining correspondent banking relationships. (Michaela Erbenova, 2016, pp. 21, 23-26)
Page 9 of 25
A number of NPCUs, pre-financial crisis, did use banks to provide payment services. Corporate credit unions typically found themselves in competition with banks, even with some of the Federal Reserve Banks (FRBs), for payment processing. For many of the compliance reasons cited, most banks and the FRBs have exited the business of serving the payments needs of NPCUs. Regardless of whether the relationship involves foreign payments or not, the risks inherent in the traditional correspondent relationship are the same: what is the nature of the banking activity conducted by the respondent’s customers and the difficulty in conducting adequate CDD on the respondent’s customers in order to mitigate the risk of, or at least identify when, a respondent’s customer is engaged in “unusual” or illegal activity. Transaction monitoring is not new and was not articulated for the first time in the aforementioned CDD Rule. The CDD Rule simply reinforces the need to “understand the nature and purpose of customer relationships to develop a risk profile.” It is the customer/member risk profile that forms the basis from where a corporate credit union can begin to assess whether a transaction is suspicious or not. (Gemayel, 2016, p. 64) In other words, the risks are ones of detection and monitoring that lead to reputation, compliance and regulatory risks. While the corporate credit union–NPCU model is a higher risk correspondent-respondent relationship, the reputation, regulatory and compliance risks in this relationship are mitigated in a number of structural ways, including the aforementioned factors, summarized in the following:
Simple correspondent-respondent structure (not nested, no pass-through)
Underlying agreements between corporate credit union and NPCU members
NPCU’s are regulated FIs with BSA/AML regulatory requirements
Payments have a higher mix of consumer over business source
No international trade finance or trade credit
MIP and MDD Requirements for Corporate Credit Unions As a FI, a corporate credit union must have a written MIP to implement Section 326 of the USA PATRIOT Act and its implementing regulation. The goal of MIP is to form a reasonable belief that the corporate credit union knows the true identity of its NPCU member (respondent). Corporate credit unions cannot have natural persons among its membership; members are 100 percent business entities. Given that a corporate credit union’s members are predominantly regulated NPCUs, MIP is straightforward. The corporate credit union’s account opening procedures must detail the minimum identifying information, typically the following:
Entity name
Physical address
Page 10 of 25
Government-issued identification number (Tax Identification Number, TIN, or Employer Identification Number, EIN)
Risk-based verification steps are taken, including documentary and non-documentary methods. Documentary verification showing the legal existence of a NPCU could include checking the NCUA website and its call report data for the NPCU name and address, locating the NPCU in the Lyons directory of credit unions, or charter documentation in the case of a de novo credit union. Non-documentary verification may include the use of Google Earth to verify a structure at the stated physical address, records of onsite sales calls by staff, and staff verification of a viable credit union website. Finally, in obtaining signatures on the underlying membership agreement, names of individuals with authority or control over the account are collected. The names are checked against government lists, including OFAC. The corporate credit union is also required under Section 312 of the USA PATRIOT Act to establish and maintain a due diligence program, the goal of which is to enable the corporate credit union to detect and report, on an ongoing basis, unusual and illegal transactions and activity, and any possible or suspected Money Laundering (ML) or Terrorist Financing (TF) activity. This includes a risk assessment of new members and a risk assessment conducted on the entirety of the corporate credit union’s membership no less frequently than annually. The concern for a corporate credit union serving its respondent NPCUs is in the ability to adequately and accurately profile the risk of the member credit union, and to then respond with a BSA/AML/CFT program that mitigates detection and monitoring risks, reputation, compliance, and regulatory risks. FATF, in its Forty Recommendations, sets international standards for combating ML and TF that have global endorsement. FATF is also interested in improving transparency and the pursuit of legal frameworks under which financial crimes can be prosecuted. In its Recommendation 13, Correspondent banking, FATF recommends a number of due diligence steps that it believes should be required of FIs engaged in correspondent banking. The most relevant for a corporate credit union may be 13(a), which follows:
Gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to any money laundering or terrorist financing investigation or regulatory action[.] (Financial Action Task Force, 2016)
Page 11 of 25
Starting with the corporate credit union’s own risk assessment, the key in determining the quantity of inherent risk is to assess the following for the corporate credit union and its membership:
Customer (member) risk
Product risk
Geographic risk The following lists additional risk factors or assessments that a corporate credit union might want to use to evaluate its NPCU members, to the extent possible. The corporate credit union should also cite evidence to support the response(s).
Characterize the NPCU’s FOM.
Characterize the adequacy of the NPCU’s MIP program.
Is the NPCU’s risk profile “higher than” the risk appetite of the corporate credit union?
Is the NPCU’s member acceptance program adequate?
Characterize the adequacy of the NPCU’s overall BSA/AML/CFT compliance program.
Is the NPCU adequately identifying and managing its member risk factors?
What are the NPCU’s geographic risk factors and where do the NPCU’s members conduct their transactions?
Does the NPCU allow its business members to originate transactions for clients that may or may not be members of the NPCU?
o If so, does the NPCU monitor these transactions?
Is the NPCU engaged in providing higher risk products and services, including those identified by regulators as high risk?
o Private banking, o Trust services, o Money services businesses, and/or o Cash-intensive members.
Corporate credit unions also exercise a certain amount of reliance. NPCUs are subject to the same FFIEC BSA/AML Examination Manual standards as the corporate credit union, noting the possible gap in the aforementioned regarding AML programs of privately insured NPCUs. (FFIEC, 2016) To augment information flow during the onboarding process, FIs are increasingly using questionnaires to obtain information in addition to what is required for MIP. One such questionnaire is the Wolfsberg Group Anti-Money Laundering Questionnaire (version, 2014). The Wolfsberg Group is a group of the largest multi-national FIs that meet to establish guidance and best practice. The purpose of the questionnaire is succinctly included in the form itself, as in the copy immediately following. (The Wolfsberg Group, 2016)
Page 12 of 25
FIs differ in their risk appetite and many FIs supplement the information from the Wolfsberg Survey with questionnaires of their own design. The following is an abbreviated snapshot of the questionnaire required of new Corporate One Federal Credit Union (COFCU) NPCU members:
A current risk and compliance issue for corporate credit unions (and all FIs) is the legality of recreational and/or medicinal marijuana in the states in which their member credit unions’ members conduct transactions. This is particularly true with respect to the aforementioned state-chartered, privately insured credit unions that may choose to conduct, depending on their state regulators, transactions with Marijuana-Related Businesses (MRBs) without the burden of filing a Marijuana Limited SAR. The compliance issue is the dichotomy between federal drug laws that maintain marijuana in all forms as a prohibited substance, and states that enact their own levels of permissibility. Federally-chartered and/or federally insured FIs must comply with the federal statutes that require SARs, even if the transaction complies with state statutes. FIs without a federal regulator may find their state regulator amenable to serving MRBs without SAR filings, especially if state statutes permit certain types of marijuana use. A NPCU has no obligation to inform the corporate credit union that it chooses to serve MRBs. Second, the NPCU may not have conducted sufficient MDD to identify its member is an MRB, or a member has become an MRB since joining the NPCU. The new CDD Rule is silent on what exactly triggers the application of the new CDD standards on existing customers/members. Third, the federally-chartered corporate credit union owns detection and monitoring risks for failing to
Page 13 of 25
identify an unbatched5 marijuana-related transaction flowing through it, and the regulatory and compliance risks that it fails to file the appropriate SAR. Ohio will implement medicinal marijuana over the course of the next two years. COFCU, with its legacy geographic membership in Ohio, has 50 privately insured members in Ohio who may knowingly, or not, serve MRBs. This is in addition to eight privately insured members who were already in medicinal and recreational marijuana states. To identify marijuana-related risk, a corporate credit union can adapt its member risk assessments. MIP data can identify NPCUs doing business in states with marijuana legalization. A corporate credit union can monitor transactions for marijuana-related vocabulary. A corporate credit union that provides vault cash can monitor changes in cash volumes that might suggest marijuana cash transactions, especially in states where MRBs are not typically banked. Another example of a corporate credit union’s identification risk from earlier this year begins with a privately insured member credit union’s outgoing wire request to Ukraine. Since Ukraine is subject to a number of sanctions, the wire was held in a review queue. Wires staff contacted the member credit union for information about the purpose and beneficiary of the wire. The member credit union provided a copy of a contract provided by their natural person member. While the contract was written in both English and Cyrillic, it was clear that the contract involved technology services. When asked, the member replied that they had no information about their member’s expertise in a technology field. The member was a longer-term member and no updated MIP had been conducted (nor was it required). COFCU rejected the wire after staff felt that it had insufficient information to determine compliance with the complicated Ukraine sanctions. The member’s MIP might be in 100% regulatory compliance, yet the MIP gap was detected by the COFCU pro-active wire monitoring. Wire monitoring mitigates the corporate credit union’s regulatory and compliance risk. Another example of risks transferred to a corporate credit union is found in the $3.6 million North Dade Community Development Federal Credit Union (North Dade) of Miami Gardens, FL. North Dade was a member of the former Southeast Corporate Credit Union (Southeast). On November 24, 2014, following a Cease and Desist Order from the NCUA on September 6, 2013, North Dade was fined $300,000 by FinCEN. In commenting on the FinCEN action, then-FinCEN Director Jennifer Shasky Calvery commented, “When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage.” (Baxter, 2014)
5 Unbatched transactions include wire transfers/electronic funds transfers where payment data is also scanned for OFAC/Sanctions compliance. This contrasts with batched transactions including ACH and share drafts (checks) that are processed in batch, without exposing payee, payor, or individual dollar values.
Page 14 of 25
FinCEN added, “North Dade agreed to become the depository institution for the vendor’s [Money Service Business] (MSB) clients, providing sub-accounts for each MSB to conduct deposits and transfer funds.” The agency added, “Under the contract, the vendor was North Dade’s member and customer and the vendor’s MSB clients were not. However, in practice, 56 of the vendor’s MSBs sub-accounts could receive financial services directly from North Dade.” (Baxter, 2014) North Dade likely never consulted Southeast before signing a contract with the aforementioned vendor. And the vendor’s transactions were likely processed through Southeast in the time leading up to the NCUA’s actions. Because the vendor and its subaccounts functioned in a manner similar to a correspondent-respondent model, Southeast had to look for other indicators of unusual activity, such as large dollar volumes and wire beneficiaries, in order to identify suspicious activity and file SARs. North Dade is an extreme example risk transfer from a NPCU to its corporate credit union. However, an interview conducted with Kurt Gredzinski, the Policy, Training, and Outreach Team Chief at Special Operations Command, Department of Defense (SOCOM) tells a cautionary tale. SOCOM investigates transnational criminal threats, including drug trafficking,
counterfeit instruments, and terrorism. In the interview, Mr. Gredzinski cited “complacency at the local level”. While not all NPCUs are small, Gredzinski reported that smaller FIs are prime targets because they may not have enough staff to do CDD. (Gredzinski, 2016) And while the earlier reference to Mr. Brannon’s article from 2012 touts the benefits of the credit union’s common bond through their FOM, Gredzinski sees the flaws in that argument. The risk is that the 20-year NPCU member might be co-opted by a criminal element because the criminal has reason to believe that after 20 years of transactions, the NPCU has been lulled into complacency, believing that they really “know” this member. And with small staff levels, the 20 years of membership might be a factor that management considers a risk mitigant. (Gredzinski, 2016) According to Gredzinski, criminal networks are extraordinarily large and financial
“criminals” do not typically fit the stereotype of what a criminal “looks like”.
“If the credit union's members associated with each other on a regular basis, they would be less likely to default on their obligations knowing that their friends, neighbors and co-workers would end up paying the price. The same logic can be seen from the lender's side of the table as well. The numbers and data from a credit history can be invaluable, but so too is personal knowledge, forged through a common bond, of how a potential borrower conducts himself.” (Brannon,
2012)
FLAWED ARGUMENT?
Page 15 of 25
Gredzinski further stated that FIs often fail to determine the source of wealth for their wealthy members. Gredzinski added that crime often DOES pay. (Gredzinski, 2016) Finally, Gredzinski cited a shift within criminal networks from drug crime to financial crime and, in some cases, a diversification of criminal gangs into financial crime. The “benefits” of financial crime over drug crime include the complexity of financial crime and the difficulty explaining financial crime to a jury, the wide geographic dispersion over which a financial crime can occur, and the 5-year statute of limitation. He reported that crime networks are actually marketing money laundering as a “product” to other crime networks. (Gredzinski, 2016) Ultimately, relying on the common bond characteristic of NPCUs can make a credit union complacent, and lead a NPCU into becoming a prime target for criminal activity according to Gredzinski. (Gredzinski, 2016) A compliance-based high risk member assessment process is designed to identify those member credit unions that pose a higher risk of engaging in higher risk activities, resulting in the allocation of scarce monitoring resources by the corporate credit union to the transactions of the higher risk members. It is important to note, however, that it is not so much that the member credit union will engage in high risk activities; it is the member credit union’s members’ transactions that are of concern. In the case of Gredzinski’s assertions, a corporate credit union may consider a NPCU’s overall staffing in its new member and ongoing high risk member assessment. The risk assessment goal is to identify high(er) risk members, ultimately for targeted Enhanced Due Diligence (EDD) resources, but all members and their transactions are under some form of MDD. In addition to the aforementioned risk categories and assessments, a corporate credit union may want to add the following inherent risk categories:
Member credit union regulator(s)
Member credit union staffing levels
Results of adverse media searches on the member credit union and any known legal or regulatory findings
In the case of COFCU, the high risk member assessment is a quantitative matrix. The BSA/AML Officer has the additional ability to add points for the assessment of responses to the Wolfsberg Survey and the additional questionnaire. When conducted across existing members on an annual basis, the high risk member assessment framework will also include the following:
Page 16 of 25
History of previous SAR filings on the member
Documented observations of higher risk transactions
Updated observations since the initial risk assessment, including comparison between anticipated volume and actual volume, and changes in volume
While, in the case of COFCU, the membership agreement allows the corporate credit union to obtain and review a NPCU’s written BSA/AML/CFT program, this is not typically done unless surveillance or payment processing issues drive the request. As noted previously, the adequacy of the NPCU member BSA/AML programs is examined by the respective regulators. While regulators do not share their assessment of a NPCU’s BSA/AML program with the respective corporate credit union(s), there is a level of reliance on the regulators and agreement across the regulating bodies on the program standards, as articulated in the FFIEC BSA/AML Examination Manual. (FFIEC, 2016) A corporate credit union will find it difficult to stop serving a member credit union even if the NPCU’s level of residual risk is greater than the corporate credit union’s risk appetite. The NCUA prefers to keep a high risk NPCU “within the credit union network”, served by a corporate credit union, rather than have the NPCU seek services elsewhere. This is akin to FinCEN’s statements against de-risking, wanting to keep higher risk financial activities from going “underground”. (Financial Crimes Enforcement Network, 2016) In fact, the aforementioned move away from the correspondent-respondent model by large, regional banks who previously may have served NPCU’s helped consolidate these activities within the credit union network and for the most part under the scrutiny of the NCUA. When faced with higher risk members and higher risk activities, a corporate credit union may seek to upgrade its monitoring and detection programs to reduce the level of residual risk. Corporate credit unions can also choose to not provide a particular higher risk product or service or prohibit the extension of credit in some cases to a high risk member credit union if the residual risk is at an unacceptable level.
Audit Approach: Corporate Credit Union High Risk Member Assessments The key element of scoping and planning an independent audit is the risk assessment. The corporate credit union is required by FFIEC BSA/AML Examination Guidelines to prepare a BSA/AML risk assessment at least annually. (FFIEC, 2016, p. 10). It is important to document in the audit scope that the high risk member assessment processes are the limit of the audit: specific to how the corporate credit union’s process addresses the inherent risks noted above. The risk assessment
Page 17 of 25
also extends to how the corporate credit union appropriately identifies the inherent risks associated with a member’s members, the products and services the member provides, and the geography in which the members conduct their business. This is followed by the corporate credit union’s mitigation of these risks: the identification of inherent risks, compliance risks, regulatory and prior audit risks, and detection and monitoring risks. The high risk member assessment audit program must be appropriate for the corporate credit union’s risk profile. Most corporate credit unions have an Enterprise-Wide Risk Management Committee (EWRMC) whose role is to articulate their risk appetite and to monitor their overall risk profile. The EWRMC also sets risk assessment standards, including the acceptance of all final risk assessments, aggregation of all gaps, and monitoring of mitigation plans. This limited audit program must cover the regulations and guidance specific to corporate credit unions. In addition to laws like the USA PATRIOT Act and the aforementioned CDD Rule, corporate credit unions’ primary regulation is NCUA Rules & Regulations, Part 704 – Corporate Credit Unions. However, the regulation is silent with respect to BSA/AML/CFT. The NCUA, however, issues periodic guidance memoranda to clarify when a specific law or regulation is ambiguous due to the structure of corporate credit unions. As most corporate credit union members are NPCUs and regulated FIs, NPCU members will be exempt from the ownership aspects of the CDD Rule. In engaging an instructor in the May 2016 ACAMS-Audit session, the instructor believes best practice suggests that a corporate credit union will want to identify at least one “controller” for each credit union member. (Sonnenschein, 2016) In most cases, the latter will be the member’s CEO, president, or managing officer. A subsequent contact by COFCU’s independent BSA/AML program reviewer with the NCUA leads COFCU to believe that the NCUA will require the identification of the members’ controllers, including some sort of verification. The extent of the latter remains undefined. (Lembach, 2016) Not all corporate credit union members are NPCUs. Credit union leagues, Credit Union Service Organizations (CUSOs), and foundations may also be among a corporate credit union’s membership. These business entities will not qualify for CDD Rule exemption. Corporate credit unions have no retail member experience so, a corporate credit union needs to begin to address how new non-credit union members will be assessed initially for the ownership and control prongs and what might be among the trigger events that will cause the corporate credit union to obtain ownership and control information for existing non-credit union members. As the CDD Rule is not effective until 2018 and therefore not part of a current high risk member assessment audit, the audit plan would be within its scope to incorporate a discussion of any planning and preparation underway with primary
Page 18 of 25
stakeholders to ensure the corporate credit union is ready for the regulation’s effective date. If previous BSA/AML program audits have been conducted, these work papers and final reports should be consulted in scoping the audit. The NCUA and other regulatory examinations should be included along with previous risk assessments in order to help ascertain the direction of the inherent risk factors and how the quality of the mitigation has changed over time.
High Risk Member Assessment Audit – Recommendations and Reporting Stage 2 of the audit begins with fieldwork and testing. It begins with gathering from the business owners copies of policies and procedures that govern the high risk member assessment process. For example, when a NPCU presents itself for membership, what is the first step in the identification procedure? A flow chart is typically an excellent method of presenting a procedure to an auditor for testing. While an experienced auditor might readily identify gaps in a procedure, it is useful for the auditor to sit with staff engaged in the procedure in order to complete an initial gap analysis. Gap analysis can be narrowed to the question of “what can go wrong” with a step in a procedure, as well as a review of exceptions, if any. A new member starts the process toward the initial high risk member assessment with MIP. MIP is focused on identification and validation, but it is also key in kicking off the initial risk assessment of the new member that will follow. That means identification of the NPCU’s membership, the products and services the member provides its members, and the geographic scope in which the member’s members conduct their activities. This information includes anticipated volume. But it also includes questions designed to help the FI characterize the customers of the respondent, or in this case, the members of the new NPCU member. It is typical for a corporate credit union to employ a customer information management system to manage its membership data. COFCU uses Salesforce. Working with BSA/AML department leadership, Salesforce has been used to draw from 5300 Call Report data, membership applications, and initial due diligence questionnaires and MIP much of the membership and geographic risk assessment data. All NPCUs are loaded into Salesforce, flagged as member or prospect and, on a quarterly basis, 5300 Call Report data is uploaded refreshing membership types, asset size, and physical addresses, among other fields. In the onboarding process conducted during MIP, COFCU staff will also identify if the new member conducts business in a higher risk geography, such as a High
Page 19 of 25
Intensity Drug Trafficking Area (HIDTA) or a High Intensity Financial Crimes Area (HIFCA), marking simple checkboxes in the Salesforce record. Staff in Implementations who bring new members on to COFCU’s products and services platforms will mark the Salesforce record as the member goes “live”. An auditor may ask, in the onboarding process, does the corporate credit union attempt to obtain expected transaction volumes? If so, does the corporate credit union then attempt to compare expected volumes with actual transaction volumes? How does the corporate credit union resolve large variances between expected and actual volumes? Where does responsibility for this analysis lie – with the business owner or the BSA/AML Officer? While the data collected in Salesforce is valuable in conducting that initial risk assessment, an auditor will readily identify the inherent risk in this process: the largely manual nature of the information gathering. The auditor will then evaluate controls in the procedures designed to mitigate risk of inaccurate data. In the case of COFCU, standing reports can be useful for BSA/AML Department staff to use to periodically sample and test data accuracy. The auditor will want to test the reporting for accuracy and completeness, ensuring all members are accounted for in the scope of the reports. From the initial gap analysis, the auditor will want to conduct walk-throughs with key process owners to identify inherent risks and evaluate existing controls in the procedures designed to mitigate risks. For example, the first line Marketing Administration staff complete a checklist covering the documentary and non-documentary sources that can be used for MIP for a given member type. A secondary review of the checklist is conducted before a new member’s settlement account can be opened. The audit should also address triggering events and timing. What triggers the BSA/AML staff to conduct an initial risk assessment of a new member? How quickly following joining the corporate credit union should the initial high risk member assessment be conducted? How does the initial high risk member assessment coordinate with the timeline for a product implementation? Most FIs appear to use quantitative factors in a scorecard approach for their high risk member assessments. This helps to make the risk assessment process at worst spreadsheet-driven, and for those with a system, largely automated. Many FIs then allow for some qualitative factors to be included. If corporate credit union is risk averse, it may want to heavily penalize a member serving a geographic area including a recreational marijuana state in its quantitative risk assessment matrix. This may result in an almost certainty that its members in the legal marijuana states will be escalated to high risk and EDD.
Page 20 of 25
Escalating a credit union to EDD helps mitigate the risk of monitoring and detection failures by intensifying these efforts and focus. However, a large list of high risk members is counterproductive. If monitoring resources are limited, as corporate credit unions would contend, increasing EDD requirements might mean even fewer resources are available for regular MDD activities. As a third party trainer used by COFCU states routinely, devoting scarce resources to higher risk members is like employing the “99-1 Rule”. In this context, the “99-1 Rule” asserts that 99 percent of the risk comes from just 1 percent of the members, and 99 percent of due diligence resources should be devoted to this 1 percent presenting the highest risk. He also contends that the size of the high-risk member list should represent 1-2 percent of total members in most cases. (Dever, 2016) COFCU’s high risk member list has averaged between 2 and 2.5 percent of its members over the past three (3) years. The auditor will validate the spreadsheet and calculations. The auditor should also sample the inputs to ensure that if they come from a system like Salesforce, the information was brought over accurately. Many risk rating calculations allow for a qualitative assessment or additional factor that places a member on the high risk member list. If the corporate credit union is adding a lot of qualitative points, perhaps the quantitative assessment is not accurately placing a member engaged in high risk activities on the high risk member list. The corporate credit union is compensating with qualitative points. The auditor will want to engage the compliance staff, perhaps looking closely at shifting points from one category to another. If a corporate credit union uses questionnaires in their MIP and for their member risk assessments, the auditor should walk through the process of data collection, determine how the data is used and retained. The new CDD Rule is not specific about what would trigger the updating of an existing customer/member record to the upcoming CDD Rule standard, but an auditor will want to address how the corporate credit union plans to address its members that joined prior to the implementation of surveys and questionnaires where there is a potential information gap in the current high risk member assessment process. The corporate credit union should also back-test their high-risk member assignments. Keeping in mind that the higher risk members should be receiving more of the transaction monitoring focus from staff, in other words, are higher risk members actually driving a disproportionate number of the investigations and SARs filed? If not, the risk assessment process may be driving limited staff resources toward the wrong members. The audit should look for this alignment within the audit scope. The high risk member assessment matrix may assign points to members on whom SARs have been filed. However, the nature of the SARs may be a better factor in
Page 21 of 25
the assessment than a raw count of SARs. NPCUs with a community charter are exposed to any number of frauds, scams, and typical schemes seen by most FIs from time to time. However, a small NPCU serving the meat packing plant’s 1,000 employees and their families may not see much in the way of fraudulent checks. A high number of SARs from this small NPCU might be more salient toward naming the NPCU to a high risk member list than a raw count of SARs filed by a member with tens of thousands of members. Back-testing by the audit staff will be important to validating this factor, if it is present in the risk assessment. The final step in the fieldwork and testing phase is the actual testing. High risk member assessment testing includes ensuring that new members added since the last audit have been properly processed through the procedures. Starting with MIP, testing also includes the proper retention standards, and retention of documentation of the initial risk assessment, including questionnaires, if any, and the scoring matrix. Assuming the review of previous audits does not include a history of previous weakness, the auditor will randomly select from the provided list of new members the MIP files to be reviewed. Starting with perhaps 5-10 percent of the new members is a place to start, with a relatively even distribution over the time frame since the last audit, assuming that the quantity is reasonable. It is typical for a corporate credit union to add a few members a month, maybe two to four dozen members over the course of a typical year. The testing sample should be expanded if issues are found in the first files; perhaps up to half of the new member files will be tested. A list of all members should also be provided to the auditor. A similar selection process should be pursued, limiting the sample size to a few percent of the total membership – somewhere between one and five-percent yields a reasonable number to test. The auditor again should expand the sample size if problems are found in the first sample. The auditor will want to review the annual high risk member assessment process and validate the calculations in the matrix, if used, and any documentation of qualitative elements. The audit should also cover the change in composition of the high risk member list, year-over-year. Along with the aforementioned back-testing, any changes in the list should be reviewed for reasonableness. Any changes in the matrix itself should also be reviewed for justification and outcome. If the auditor finds issues in the initial testing and expands the scope of the sampling, a good auditor identifies for the primary stakeholders why the sample size is being increased and the initial concerns that he or she is looking to confirm through testing additional member files. The primary stakeholders should engage the business owners or business lines to identify the root cause(s) for the identified weakness(es). Perhaps the corporate
Page 22 of 25
credit union experienced staff turnover and a control in the procedure was temporarily suspended due to an open position. Does testing of MIP conducted after the position was filled show the same deficiency? Was the new hire given specific MIP training? If in scoping the audit the auditor finds previous weakness in the MIP process, the auditor should not only test to see that the errant files were corrected, other files originated at the same time not previously tested should be included in the scope of the testing. The auditor should also look at the procedure to see if the previously identified weakness has been addressed by an improved control. Other testing techniques include observation and questioning staff. In addition to engaging primary stakeholders on the subject, when engaging staff an auditor should ask how staff keep apprised of changing BSA/AML/CFT typologies and abreast of changes in regulations affecting their business line. Effective auditors identify any concern or control gap as soon as they are identified, be it during the planning and scoping stage or during the fieldwork and testing stage, even if that communication is informal with the business owner or a key stakeholder. That communication helps to ensure that the understanding of the procedure is factual, that the sampling documentation is accurate, and it allows the business owner to take corrective action immediately in some cases. As the audit concludes, it is not complete without a final report. Stage 3 requires Recommendations and Reporting resulting from the audit. The FFIEC BSA/AML Examination Manual requires the independent reviewer to provide an evaluation of the overall adequacy and effectiveness of the BSA/AML compliance program, including policies, procedures, and processes and include an explicit statement about program’s overall adequacy and effectiveness and compliance with applicable regulatory requirements (FFIEC, 2016, p. 12). An audit as limited as one of a corporate credit union’s high risk member assessment would not need this expansive a final report. The auditor finalizes results of the fieldwork and testing. The auditor compiles a list of findings and meets with the same primary stakeholders to review the results and initiates a discussion and validation of the control weaknesses identified. Finally, a written report is issued.
High Risk Member Assessment Audit Resiliency In order to ensure that the findings from any audit are closed and to reduce the probability of the finding’s recurrence, COFCU creates a “Red-Green Report”. Findings and recommendations are listed in detail in a table, all in Red font. Each item is assigned to the appropriate business line senior manager or executive. The assignee is expected to do a root cause analysis and devise a mitigation or
Page 23 of 25
correction for the finding and/or implement the recommendation or devise a better solution. Each item must have a deadline for implementation. The Red-Green Report goes to the monthly Board of Directors meeting, the quarterly Supervisory Committee meetings, and the quarterly EWRMC meetings. The Red-Green Report must be updated monthly. As a finding is closed, this is denoted by changing the print font from Red to Green. Internal audit is integrated into the audit reporting. As the final report is released, the internal audit schedule for the various business lines will be adapted to re-test areas with findings. Following the delivery of a “Green” item on the Red-Green Report, Internal Audit may test to ensure the change or mitigation or correction was implemented. Internal Audit should also adapt the scoping and planning of their regular audit plans to the changing risk profiles and to mitigate the risk of repeat audit findings.
Conclusion At the conclusion of a corporate credit union’s high risk member assessment, the monitoring and detection risks should be reasonably understood. While, the risks associated with adding a regulated NPCU to the corporate credit union’s membership can be broadly asserted as low risk, the greatest amount of compliance and regulatory risk might be in documenting the process. A strong high risk member assessment process is also going to set the stage for effective MDD and EDD decisions, with resources properly allocated to members that present higher risks. The EDD program should mitigate the risks associated with the failure to detect unusual or illegal activity from NPCU members, despite the member credit union’s own and largely identical regulatory and compliance requirements. With the final audit report in the hands of the Supervisory Committee and Board members of the corporate credit union, key stakeholders are in a position to fully understand the residual risks facing the corporate credit union.
Page 24 of 25
Appendix A Corporate credit union data, as of May 31, 2016.
Corporate Credit Union Name HQ Location Assets Members FTE6
Alloya Corporate FCU Warrenville, IL $3,369,266,861 1,633 170
Catalyst Corporate FCU Plano, TX $2,627,700,546 1,313 192.5
Corporate America CU Irondale, AL $2,786,674,393 495 51.5
Corporate Central CU Muskego, WI $1,357,461,731 344 31
Corporate One FCU Columbus, OH $3,390,054,717 829 169.5
Eastern Corporate FCU Burlington, MA $655,764,901 241 14.5
First Carolina Corporate CU Greensboro, NC $1,338,640,484 215 24.5
Kansas Corporate CU Wichita, KS $675,948,723 304 22
Louisiana Corporate CU Metairie, LA $142,034,854 116 6.5
Mid-Atlantic Corporate FCU Middletown, PA $2,532,813,172 749 128.5
Tricorp FCU Westbrook, ME $295,961,680 128 11
Volunteer Corporate CU Nashville, TN $1,286,883,366 351 48
Works Cited American Share Insurance. (2016, August 8). Retrieved from
www.americanshare.com Atkinson, C. B. (2012). Reality Checks in Correspondent Banking: A Decade of Lessons
Learned. Protiviti Inc. Basel Committee on Banking Supervision. (2001). Customer due diligence for banks.
Basel: Bank for International Settlements. Baumann, D. (2016, August 25). FinCEN Proposes Anti-Money Laundering Rules for
More Credit Unions. Credit Union Times. Baxter, M. (2014, November 2014). $3.6M Miami CU Slapped with $300,000 BSA
Fine. CreditUnionTimes, p. 1. Brannon, I. (2012, November 27). Increasing Business Lending Cap Will Make Credit
Unions TBTF. American Banker. Committee on Payments and Market Infrastructures. (2015). Consultative report
Correspondent banking. Basel: Bank for International Settlements. Department of the Treasury, Financial Crimes Enforcement Network. (2016, August
25). 31 CFR Parts 1010 and 1020. Notice of proposed rulemaking, 81, No. 165. Federal Register.
Dever, M. (2016, May 4-5). Annual member 2-day training webinar. Columbus, Ohio, U.S.
Federal Corporate Credit Union Chartering Manual. (2016, August 8). Retrieved from National Credit Union Administration: https://www.ncua.gov/regulation-supervision/Pages/corporate-large/corporate-chartering%20manual.aspx
FFIEC. (2016, August 16). www.ffiec.gov. Retrieved from FFIEC BSA/AML Examination Guidelines, 2014 Update: http://www.ffiec.gov/bsa_aml_infobase/default.htm
6 Calculated FTE based on full-time plus 0.5 allocated for each part time.
Page 25 of 25
Financial Action Task Force. (2016, August 23). Publications; Forty Recommendations. Retrieved from Financial Action Task Force: http://www.fatf-gafi.org/publications/fatfrecommendations/?hf=10&b=0&s=desc(fatf_releasedate)
Financial Crimes Enforcement Network. (2016, August 16). fincen.gov. Retrieved from FinCEN: www.fincen.gov/news_room/nr/pdf/20150825.pdf
Gemayel, R. (2016, September-November). Understanding customer risk. ACAMS Today, pp. 64-65.
Gredzinski, K. E. (2016, July 6). A view from a consumer of SARs. (J. B. Morrison, Interviewer) Tampa, FL, USA.
Lembach, S. (2016, September 23). COFCU Independent Review. (J. Morrison, Interviewer) Columbus, OH.
Merrick, B. (2016, August 23). http://www.cuna.org/. Retrieved from Credit Union National Association.
Michaela Erbenova, Y. L.-S.-J. (2016). The Withdrawal of Correspondent Banking Relationships: A Case for Policy Action. International Monetary Fund.
Minority Staff of the Permanent Subcommittee on Investigations of the Committee on Governmental Affairs of the United States Senate. (2001). Correspondent Banking: A Gateway for Money Laundering. Washington D.C.: United States Senate.
National Credit Union Administration. (2016, August 8). Retrieved from Call Report Quarterly Data: https://www.ncua.gov/analysis/Pages/call-report-data/quarterly-data.aspx
National Credit Union Administration. (2016, August 16). www.ncua.gov. Retrieved from National Credit Union Administration: https://www.ncua.gov/regulation-supervision/Pages/policy-compliance/communications/corporate-guidance-letters/lccu2011-04.aspx
Sonnenschein, J. (2016, May 25). (J. Morrison, Interviewer) The Wolfsberg Group. (2014). Wolfsberg Anti-Money Laundering Principles for
Correspondent Banking. The Wolfsberg Group. The Wolfsberg Group. (2016, August 23). The Wolfsberg Group. Retrieved from The
Wolfsberg Group: http://www.wolfsberg-principles.com/diligence.html United States Department of the Treasury Financial Crimes Enforcement Network.
(July 2010). Assessing the Impact of Amendments to the CTR Exemption Rules Implemented on January 5, 2009. Washington D.C.: Financial Crimes Enforcement Network.
